Documentation ¶
Index ¶
- Variables
- type AuthorizationPolicy
- func (in *AuthorizationPolicy) DeepCopy() *AuthorizationPolicy
- func (in *AuthorizationPolicy) DeepCopyInto(out *AuthorizationPolicy)
- func (*AuthorizationPolicy) Descriptor() ([]byte, []int)
- func (m *AuthorizationPolicy) GetAction() AuthorizationPolicy_Action
- func (m *AuthorizationPolicy) GetRules() []*Rule
- func (m *AuthorizationPolicy) GetSelector() *v1beta1.WorkloadSelector
- func (m *AuthorizationPolicy) Marshal() (dAtA []byte, err error)
- func (this *AuthorizationPolicy) MarshalJSON() ([]byte, error)
- func (m *AuthorizationPolicy) MarshalTo(dAtA []byte) (int, error)
- func (m *AuthorizationPolicy) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*AuthorizationPolicy) ProtoMessage()
- func (m *AuthorizationPolicy) Reset()
- func (m *AuthorizationPolicy) Size() (n int)
- func (m *AuthorizationPolicy) String() string
- func (m *AuthorizationPolicy) Unmarshal(dAtA []byte) error
- func (this *AuthorizationPolicy) UnmarshalJSON(b []byte) error
- func (m *AuthorizationPolicy) XXX_DiscardUnknown()
- func (m *AuthorizationPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *AuthorizationPolicy) XXX_Merge(src proto.Message)
- func (m *AuthorizationPolicy) XXX_Size() int
- func (m *AuthorizationPolicy) XXX_Unmarshal(b []byte) error
- type AuthorizationPolicy_Action
- type Condition
- func (in *Condition) DeepCopy() *Condition
- func (in *Condition) DeepCopyInto(out *Condition)
- func (*Condition) Descriptor() ([]byte, []int)
- func (m *Condition) GetKey() string
- func (m *Condition) GetNotValues() []string
- func (m *Condition) GetValues() []string
- func (m *Condition) Marshal() (dAtA []byte, err error)
- func (this *Condition) MarshalJSON() ([]byte, error)
- func (m *Condition) MarshalTo(dAtA []byte) (int, error)
- func (m *Condition) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*Condition) ProtoMessage()
- func (m *Condition) Reset()
- func (m *Condition) Size() (n int)
- func (m *Condition) String() string
- func (m *Condition) Unmarshal(dAtA []byte) error
- func (this *Condition) UnmarshalJSON(b []byte) error
- func (m *Condition) XXX_DiscardUnknown()
- func (m *Condition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *Condition) XXX_Merge(src proto.Message)
- func (m *Condition) XXX_Size() int
- func (m *Condition) XXX_Unmarshal(b []byte) error
- type JWTHeader
- func (in *JWTHeader) DeepCopy() *JWTHeader
- func (in *JWTHeader) DeepCopyInto(out *JWTHeader)
- func (*JWTHeader) Descriptor() ([]byte, []int)
- func (m *JWTHeader) GetName() string
- func (m *JWTHeader) GetPrefix() string
- func (m *JWTHeader) Marshal() (dAtA []byte, err error)
- func (this *JWTHeader) MarshalJSON() ([]byte, error)
- func (m *JWTHeader) MarshalTo(dAtA []byte) (int, error)
- func (m *JWTHeader) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*JWTHeader) ProtoMessage()
- func (m *JWTHeader) Reset()
- func (m *JWTHeader) Size() (n int)
- func (m *JWTHeader) String() string
- func (m *JWTHeader) Unmarshal(dAtA []byte) error
- func (this *JWTHeader) UnmarshalJSON(b []byte) error
- func (m *JWTHeader) XXX_DiscardUnknown()
- func (m *JWTHeader) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *JWTHeader) XXX_Merge(src proto.Message)
- func (m *JWTHeader) XXX_Size() int
- func (m *JWTHeader) XXX_Unmarshal(b []byte) error
- type JWTRule
- func (in *JWTRule) DeepCopy() *JWTRule
- func (in *JWTRule) DeepCopyInto(out *JWTRule)
- func (*JWTRule) Descriptor() ([]byte, []int)
- func (m *JWTRule) GetAudiences() []string
- func (m *JWTRule) GetForwardOriginalToken() bool
- func (m *JWTRule) GetFromHeaders() []*JWTHeader
- func (m *JWTRule) GetFromParams() []string
- func (m *JWTRule) GetIssuer() string
- func (m *JWTRule) GetJwks() string
- func (m *JWTRule) GetJwksUri() string
- func (m *JWTRule) GetOutputPayloadToHeader() string
- func (m *JWTRule) Marshal() (dAtA []byte, err error)
- func (this *JWTRule) MarshalJSON() ([]byte, error)
- func (m *JWTRule) MarshalTo(dAtA []byte) (int, error)
- func (m *JWTRule) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*JWTRule) ProtoMessage()
- func (m *JWTRule) Reset()
- func (m *JWTRule) Size() (n int)
- func (m *JWTRule) String() string
- func (m *JWTRule) Unmarshal(dAtA []byte) error
- func (this *JWTRule) UnmarshalJSON(b []byte) error
- func (m *JWTRule) XXX_DiscardUnknown()
- func (m *JWTRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *JWTRule) XXX_Merge(src proto.Message)
- func (m *JWTRule) XXX_Size() int
- func (m *JWTRule) XXX_Unmarshal(b []byte) error
- type Operation
- func (in *Operation) DeepCopy() *Operation
- func (in *Operation) DeepCopyInto(out *Operation)
- func (*Operation) Descriptor() ([]byte, []int)
- func (m *Operation) GetHosts() []string
- func (m *Operation) GetMethods() []string
- func (m *Operation) GetNotHosts() []string
- func (m *Operation) GetNotMethods() []string
- func (m *Operation) GetNotPaths() []string
- func (m *Operation) GetNotPorts() []string
- func (m *Operation) GetPaths() []string
- func (m *Operation) GetPorts() []string
- func (m *Operation) Marshal() (dAtA []byte, err error)
- func (this *Operation) MarshalJSON() ([]byte, error)
- func (m *Operation) MarshalTo(dAtA []byte) (int, error)
- func (m *Operation) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*Operation) ProtoMessage()
- func (m *Operation) Reset()
- func (m *Operation) Size() (n int)
- func (m *Operation) String() string
- func (m *Operation) Unmarshal(dAtA []byte) error
- func (this *Operation) UnmarshalJSON(b []byte) error
- func (m *Operation) XXX_DiscardUnknown()
- func (m *Operation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *Operation) XXX_Merge(src proto.Message)
- func (m *Operation) XXX_Size() int
- func (m *Operation) XXX_Unmarshal(b []byte) error
- type PeerAuthentication
- func (in *PeerAuthentication) DeepCopy() *PeerAuthentication
- func (in *PeerAuthentication) DeepCopyInto(out *PeerAuthentication)
- func (*PeerAuthentication) Descriptor() ([]byte, []int)
- func (m *PeerAuthentication) GetMtls() *PeerAuthentication_MutualTLS
- func (m *PeerAuthentication) GetPortLevelMtls() map[uint32]*PeerAuthentication_MutualTLS
- func (m *PeerAuthentication) GetSelector() *v1beta1.WorkloadSelector
- func (m *PeerAuthentication) Marshal() (dAtA []byte, err error)
- func (this *PeerAuthentication) MarshalJSON() ([]byte, error)
- func (m *PeerAuthentication) MarshalTo(dAtA []byte) (int, error)
- func (m *PeerAuthentication) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*PeerAuthentication) ProtoMessage()
- func (m *PeerAuthentication) Reset()
- func (m *PeerAuthentication) Size() (n int)
- func (m *PeerAuthentication) String() string
- func (m *PeerAuthentication) Unmarshal(dAtA []byte) error
- func (this *PeerAuthentication) UnmarshalJSON(b []byte) error
- func (m *PeerAuthentication) XXX_DiscardUnknown()
- func (m *PeerAuthentication) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *PeerAuthentication) XXX_Merge(src proto.Message)
- func (m *PeerAuthentication) XXX_Size() int
- func (m *PeerAuthentication) XXX_Unmarshal(b []byte) error
- type PeerAuthentication_MutualTLS
- func (in *PeerAuthentication_MutualTLS) DeepCopy() *PeerAuthentication_MutualTLS
- func (in *PeerAuthentication_MutualTLS) DeepCopyInto(out *PeerAuthentication_MutualTLS)
- func (*PeerAuthentication_MutualTLS) Descriptor() ([]byte, []int)
- func (m *PeerAuthentication_MutualTLS) GetMode() PeerAuthentication_MutualTLS_Mode
- func (m *PeerAuthentication_MutualTLS) Marshal() (dAtA []byte, err error)
- func (this *PeerAuthentication_MutualTLS) MarshalJSON() ([]byte, error)
- func (m *PeerAuthentication_MutualTLS) MarshalTo(dAtA []byte) (int, error)
- func (m *PeerAuthentication_MutualTLS) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*PeerAuthentication_MutualTLS) ProtoMessage()
- func (m *PeerAuthentication_MutualTLS) Reset()
- func (m *PeerAuthentication_MutualTLS) Size() (n int)
- func (m *PeerAuthentication_MutualTLS) String() string
- func (m *PeerAuthentication_MutualTLS) Unmarshal(dAtA []byte) error
- func (this *PeerAuthentication_MutualTLS) UnmarshalJSON(b []byte) error
- func (m *PeerAuthentication_MutualTLS) XXX_DiscardUnknown()
- func (m *PeerAuthentication_MutualTLS) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *PeerAuthentication_MutualTLS) XXX_Merge(src proto.Message)
- func (m *PeerAuthentication_MutualTLS) XXX_Size() int
- func (m *PeerAuthentication_MutualTLS) XXX_Unmarshal(b []byte) error
- type PeerAuthentication_MutualTLS_Mode
- type RequestAuthentication
- func (in *RequestAuthentication) DeepCopy() *RequestAuthentication
- func (in *RequestAuthentication) DeepCopyInto(out *RequestAuthentication)
- func (*RequestAuthentication) Descriptor() ([]byte, []int)
- func (m *RequestAuthentication) GetJwtRules() []*JWTRule
- func (m *RequestAuthentication) GetSelector() *v1beta1.WorkloadSelector
- func (m *RequestAuthentication) Marshal() (dAtA []byte, err error)
- func (this *RequestAuthentication) MarshalJSON() ([]byte, error)
- func (m *RequestAuthentication) MarshalTo(dAtA []byte) (int, error)
- func (m *RequestAuthentication) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*RequestAuthentication) ProtoMessage()
- func (m *RequestAuthentication) Reset()
- func (m *RequestAuthentication) Size() (n int)
- func (m *RequestAuthentication) String() string
- func (m *RequestAuthentication) Unmarshal(dAtA []byte) error
- func (this *RequestAuthentication) UnmarshalJSON(b []byte) error
- func (m *RequestAuthentication) XXX_DiscardUnknown()
- func (m *RequestAuthentication) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *RequestAuthentication) XXX_Merge(src proto.Message)
- func (m *RequestAuthentication) XXX_Size() int
- func (m *RequestAuthentication) XXX_Unmarshal(b []byte) error
- type Rule
- func (in *Rule) DeepCopy() *Rule
- func (in *Rule) DeepCopyInto(out *Rule)
- func (*Rule) Descriptor() ([]byte, []int)
- func (m *Rule) GetFrom() []*Rule_From
- func (m *Rule) GetTo() []*Rule_To
- func (m *Rule) GetWhen() []*Condition
- func (m *Rule) Marshal() (dAtA []byte, err error)
- func (this *Rule) MarshalJSON() ([]byte, error)
- func (m *Rule) MarshalTo(dAtA []byte) (int, error)
- func (m *Rule) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*Rule) ProtoMessage()
- func (m *Rule) Reset()
- func (m *Rule) Size() (n int)
- func (m *Rule) String() string
- func (m *Rule) Unmarshal(dAtA []byte) error
- func (this *Rule) UnmarshalJSON(b []byte) error
- func (m *Rule) XXX_DiscardUnknown()
- func (m *Rule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *Rule) XXX_Merge(src proto.Message)
- func (m *Rule) XXX_Size() int
- func (m *Rule) XXX_Unmarshal(b []byte) error
- type Rule_From
- func (in *Rule_From) DeepCopy() *Rule_From
- func (in *Rule_From) DeepCopyInto(out *Rule_From)
- func (*Rule_From) Descriptor() ([]byte, []int)
- func (m *Rule_From) GetSource() *Source
- func (m *Rule_From) Marshal() (dAtA []byte, err error)
- func (this *Rule_From) MarshalJSON() ([]byte, error)
- func (m *Rule_From) MarshalTo(dAtA []byte) (int, error)
- func (m *Rule_From) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*Rule_From) ProtoMessage()
- func (m *Rule_From) Reset()
- func (m *Rule_From) Size() (n int)
- func (m *Rule_From) String() string
- func (m *Rule_From) Unmarshal(dAtA []byte) error
- func (this *Rule_From) UnmarshalJSON(b []byte) error
- func (m *Rule_From) XXX_DiscardUnknown()
- func (m *Rule_From) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *Rule_From) XXX_Merge(src proto.Message)
- func (m *Rule_From) XXX_Size() int
- func (m *Rule_From) XXX_Unmarshal(b []byte) error
- type Rule_To
- func (in *Rule_To) DeepCopy() *Rule_To
- func (in *Rule_To) DeepCopyInto(out *Rule_To)
- func (*Rule_To) Descriptor() ([]byte, []int)
- func (m *Rule_To) GetOperation() *Operation
- func (m *Rule_To) Marshal() (dAtA []byte, err error)
- func (this *Rule_To) MarshalJSON() ([]byte, error)
- func (m *Rule_To) MarshalTo(dAtA []byte) (int, error)
- func (m *Rule_To) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*Rule_To) ProtoMessage()
- func (m *Rule_To) Reset()
- func (m *Rule_To) Size() (n int)
- func (m *Rule_To) String() string
- func (m *Rule_To) Unmarshal(dAtA []byte) error
- func (this *Rule_To) UnmarshalJSON(b []byte) error
- func (m *Rule_To) XXX_DiscardUnknown()
- func (m *Rule_To) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *Rule_To) XXX_Merge(src proto.Message)
- func (m *Rule_To) XXX_Size() int
- func (m *Rule_To) XXX_Unmarshal(b []byte) error
- type Source
- func (in *Source) DeepCopy() *Source
- func (in *Source) DeepCopyInto(out *Source)
- func (*Source) Descriptor() ([]byte, []int)
- func (m *Source) GetIpBlocks() []string
- func (m *Source) GetNamespaces() []string
- func (m *Source) GetNotIpBlocks() []string
- func (m *Source) GetNotNamespaces() []string
- func (m *Source) GetNotPrincipals() []string
- func (m *Source) GetNotRequestPrincipals() []string
- func (m *Source) GetPrincipals() []string
- func (m *Source) GetRequestPrincipals() []string
- func (m *Source) Marshal() (dAtA []byte, err error)
- func (this *Source) MarshalJSON() ([]byte, error)
- func (m *Source) MarshalTo(dAtA []byte) (int, error)
- func (m *Source) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*Source) ProtoMessage()
- func (m *Source) Reset()
- func (m *Source) Size() (n int)
- func (m *Source) String() string
- func (m *Source) Unmarshal(dAtA []byte) error
- func (this *Source) UnmarshalJSON(b []byte) error
- func (m *Source) XXX_DiscardUnknown()
- func (m *Source) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *Source) XXX_Merge(src proto.Message)
- func (m *Source) XXX_Size() int
- func (m *Source) XXX_Unmarshal(b []byte) error
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidLengthAuthorization = fmt.Errorf("proto: negative length found during unmarshaling") ErrIntOverflowAuthorization = fmt.Errorf("proto: integer overflow") )
var ( AuthorizationMarshaler = &github_com_gogo_protobuf_jsonpb.Marshaler{} AuthorizationUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{} )
var ( ErrInvalidLengthJwt = fmt.Errorf("proto: negative length found during unmarshaling") ErrIntOverflowJwt = fmt.Errorf("proto: integer overflow") )
var ( JwtMarshaler = &github_com_gogo_protobuf_jsonpb.Marshaler{} JwtUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{} )
var ( ErrInvalidLengthPeerAuthentication = fmt.Errorf("proto: negative length found during unmarshaling") ErrIntOverflowPeerAuthentication = fmt.Errorf("proto: integer overflow") )
var ( PeerAuthenticationMarshaler = &github_com_gogo_protobuf_jsonpb.Marshaler{} PeerAuthenticationUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{} )
var ( ErrInvalidLengthRequestAuthentication = fmt.Errorf("proto: negative length found during unmarshaling") ErrIntOverflowRequestAuthentication = fmt.Errorf("proto: integer overflow") )
var ( RequestAuthenticationMarshaler = &github_com_gogo_protobuf_jsonpb.Marshaler{} RequestAuthenticationUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{} )
var AuthorizationPolicy_Action_name = map[int32]string{
0: "ALLOW",
1: "DENY",
2: "AUDIT",
}
var AuthorizationPolicy_Action_value = map[string]int32{
"ALLOW": 0,
"DENY": 1,
"AUDIT": 2,
}
var PeerAuthentication_MutualTLS_Mode_name = map[int32]string{
0: "UNSET",
1: "DISABLE",
2: "PERMISSIVE",
3: "STRICT",
}
var PeerAuthentication_MutualTLS_Mode_value = map[string]int32{
"UNSET": 0,
"DISABLE": 1,
"PERMISSIVE": 2,
"STRICT": 3,
}
Functions ¶
This section is empty.
Types ¶
type AuthorizationPolicy ¶
type AuthorizationPolicy struct { // Optional. Workload selector decides where to apply the authorization policy. // If not set, the authorization policy will be applied to all workloads in the // same namespace as the authorization policy. Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` // Optional. A list of rules to match the request. A match occurs when at least // one rule matches the request. // // If not set, the match will never occur. This is equivalent to setting a // default of deny for the target workloads. Rules []*Rule `protobuf:"bytes,2,rep,name=rules,proto3" json:"rules,omitempty"` // Optional. The action to take if the request is matched with the rules. Action AuthorizationPolicy_Action `protobuf:"varint,3,opt,name=action,proto3,enum=istio.security.v1beta1.AuthorizationPolicy_Action" json:"action,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
AuthorizationPolicy enables access control on workloads.
For example, the following authorization policy denies all requests to workloads in namespace foo.
```yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:
name: deny-all namespace: foo
spec:
{}
```
The following authorization policy allows all requests to workloads in namespace foo.
```yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:
name: allow-all namespace: foo
spec:
rules: - {}
```
<!-- crd generation tags +cue-gen:AuthorizationPolicy:groupName:security.istio.io +cue-gen:AuthorizationPolicy:version:v1beta1 +cue-gen:AuthorizationPolicy:storageVersion +cue-gen:AuthorizationPolicy:annotations:helm.sh/resource-policy=keep +cue-gen:AuthorizationPolicy:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio +cue-gen:AuthorizationPolicy:subresource:status +cue-gen:AuthorizationPolicy:scope:Namespaced +cue-gen:AuthorizationPolicy:resource:categories=istio-io,security-istio-io,plural=authorizationpolicies -->
<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=security.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true -->
func (*AuthorizationPolicy) DeepCopy ¶
func (in *AuthorizationPolicy) DeepCopy() *AuthorizationPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicy. Required by controller-gen.
func (*AuthorizationPolicy) DeepCopyInto ¶
func (in *AuthorizationPolicy) DeepCopyInto(out *AuthorizationPolicy)
DeepCopyInto supports using AuthorizationPolicy within kubernetes types, where deepcopy-gen is used.
func (*AuthorizationPolicy) Descriptor ¶
func (*AuthorizationPolicy) Descriptor() ([]byte, []int)
func (*AuthorizationPolicy) GetAction ¶
func (m *AuthorizationPolicy) GetAction() AuthorizationPolicy_Action
func (*AuthorizationPolicy) GetRules ¶
func (m *AuthorizationPolicy) GetRules() []*Rule
func (*AuthorizationPolicy) GetSelector ¶
func (m *AuthorizationPolicy) GetSelector() *v1beta1.WorkloadSelector
func (*AuthorizationPolicy) Marshal ¶
func (m *AuthorizationPolicy) Marshal() (dAtA []byte, err error)
func (*AuthorizationPolicy) MarshalJSON ¶
func (this *AuthorizationPolicy) MarshalJSON() ([]byte, error)
MarshalJSON is a custom marshaler for AuthorizationPolicy
func (*AuthorizationPolicy) MarshalTo ¶
func (m *AuthorizationPolicy) MarshalTo(dAtA []byte) (int, error)
func (*AuthorizationPolicy) MarshalToSizedBuffer ¶
func (m *AuthorizationPolicy) MarshalToSizedBuffer(dAtA []byte) (int, error)
func (*AuthorizationPolicy) ProtoMessage ¶
func (*AuthorizationPolicy) ProtoMessage()
func (*AuthorizationPolicy) Reset ¶
func (m *AuthorizationPolicy) Reset()
func (*AuthorizationPolicy) Size ¶
func (m *AuthorizationPolicy) Size() (n int)
func (*AuthorizationPolicy) String ¶
func (m *AuthorizationPolicy) String() string
func (*AuthorizationPolicy) Unmarshal ¶
func (m *AuthorizationPolicy) Unmarshal(dAtA []byte) error
func (*AuthorizationPolicy) UnmarshalJSON ¶
func (this *AuthorizationPolicy) UnmarshalJSON(b []byte) error
UnmarshalJSON is a custom unmarshaler for AuthorizationPolicy
func (*AuthorizationPolicy) XXX_DiscardUnknown ¶
func (m *AuthorizationPolicy) XXX_DiscardUnknown()
func (*AuthorizationPolicy) XXX_Marshal ¶
func (m *AuthorizationPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*AuthorizationPolicy) XXX_Merge ¶
func (m *AuthorizationPolicy) XXX_Merge(src proto.Message)
func (*AuthorizationPolicy) XXX_Size ¶
func (m *AuthorizationPolicy) XXX_Size() int
func (*AuthorizationPolicy) XXX_Unmarshal ¶
func (m *AuthorizationPolicy) XXX_Unmarshal(b []byte) error
type AuthorizationPolicy_Action ¶
type AuthorizationPolicy_Action int32
Action specifies the operation to take.
const ( // Allow a request only if it matches the rules. This is the default type. AuthorizationPolicy_ALLOW AuthorizationPolicy_Action = 0 // Deny a request if it matches any of the rules. AuthorizationPolicy_DENY AuthorizationPolicy_Action = 1 AuthorizationPolicy_AUDIT AuthorizationPolicy_Action = 2 )
func (AuthorizationPolicy_Action) EnumDescriptor ¶
func (AuthorizationPolicy_Action) EnumDescriptor() ([]byte, []int)
func (AuthorizationPolicy_Action) String ¶
func (x AuthorizationPolicy_Action) String() string
type Condition ¶
type Condition struct { // The name of an Istio attribute. // See the [full list of supported attributes](https://istio.io/docs/reference/config/security/conditions/). Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` // Optional. A list of allowed values for the attribute. // Note: at least one of values or not_values must be set. Values []string `protobuf:"bytes,2,rep,name=values,proto3" json:"values,omitempty"` // Optional. A list of negative match of values for the attribute. // Note: at least one of values or not_values must be set. NotValues []string `protobuf:"bytes,3,rep,name=not_values,json=notValues,proto3" json:"not_values,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
Condition specifies additional required attributes.
func (*Condition) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. Required by controller-gen.
func (*Condition) DeepCopyInto ¶
DeepCopyInto supports using Condition within kubernetes types, where deepcopy-gen is used.
func (*Condition) Descriptor ¶
func (*Condition) GetNotValues ¶
func (*Condition) MarshalJSON ¶
MarshalJSON is a custom marshaler for Condition
func (*Condition) MarshalToSizedBuffer ¶
func (*Condition) ProtoMessage ¶
func (*Condition) ProtoMessage()
func (*Condition) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for Condition
func (*Condition) XXX_DiscardUnknown ¶
func (m *Condition) XXX_DiscardUnknown()
func (*Condition) XXX_Marshal ¶
func (*Condition) XXX_Unmarshal ¶
type JWTHeader ¶
type JWTHeader struct { // The HTTP header name. Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` // The prefix that should be stripped before decoding the token. // For example, for "Authorization: Bearer <token>", prefix="Bearer " with a space at the end. // If the header doesn't have this exact prefix, it is considerred invalid. Prefix string `protobuf:"bytes,2,opt,name=prefix,proto3" json:"prefix,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
This message specifies a header location to extract JWT token.
func (*JWTHeader) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTHeader. Required by controller-gen.
func (*JWTHeader) DeepCopyInto ¶
DeepCopyInto supports using JWTHeader within kubernetes types, where deepcopy-gen is used.
func (*JWTHeader) Descriptor ¶
func (*JWTHeader) MarshalJSON ¶
MarshalJSON is a custom marshaler for JWTHeader
func (*JWTHeader) MarshalToSizedBuffer ¶
func (*JWTHeader) ProtoMessage ¶
func (*JWTHeader) ProtoMessage()
func (*JWTHeader) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for JWTHeader
func (*JWTHeader) XXX_DiscardUnknown ¶
func (m *JWTHeader) XXX_DiscardUnknown()
func (*JWTHeader) XXX_Marshal ¶
func (*JWTHeader) XXX_Unmarshal ¶
type JWTRule ¶
type JWTRule struct { // Identifies the issuer that issued the JWT. See // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1) // A JWT with different `iss` claim will be rejected. // // Example: https://foobar.auth0.com // Example: 1234567-compute@developer.gserviceaccount.com Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"` // The list of JWT // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3). // that are allowed to access. A JWT containing any of these // audiences will be accepted. // // The service name will be accepted if audiences is empty. // // Example: // // “`yaml // audiences: // - bookstore_android.apps.example.com // bookstore_web.apps.example.com // “` Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"` // URL of the provider's public key set to validate signature of the // JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). // // Optional if the key set document can either (a) be retrieved from // [OpenID // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of // the issuer or (b) inferred from the email domain of the issuer (e.g. a // Google service account). // // Example: `https://www.googleapis.com/oauth2/v1/certs` // // Note: Only one of jwks_uri and jwks should be used. jwks_uri will be ignored if it does. JwksUri string `protobuf:"bytes,3,opt,name=jwks_uri,json=jwksUri,proto3" json:"jwks_uri,omitempty"` // JSON Web Key Set of public keys to validate signature of the JWT. // See https://auth0.com/docs/jwks. // // Note: Only one of jwks_uri and jwks should be used. jwks_uri will be ignored if it does. Jwks string `protobuf:"bytes,10,opt,name=jwks,proto3" json:"jwks,omitempty"` // List of header locations from which JWT is expected. For example, below is the location spec // if JWT is expected to be found in `x-jwt-assertion` header, and have "Bearer " prefix: // “` // fromHeaders: // - name: x-jwt-assertion // prefix: "Bearer " // “` FromHeaders []*JWTHeader `protobuf:"bytes,6,rep,name=from_headers,json=fromHeaders,proto3" json:"from_headers,omitempty"` // List of query parameters from which JWT is expected. For example, if JWT is provided via query // parameter `my_token` (e.g /path?my_token=<JWT>), the config is: // “` // fromParams: // - "my_token" // “` FromParams []string `protobuf:"bytes,7,rep,name=from_params,json=fromParams,proto3" json:"from_params,omitempty"` // This field specifies the header name to output a successfully verified JWT payload to the // backend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified, // the payload will not be emitted. OutputPayloadToHeader string `` /* 128-byte string literal not displayed */ // If set to true, the orginal token will be kept for the ustream request. Default is false. ForwardOriginalToken bool `protobuf:"varint,9,opt,name=forward_original_token,json=forwardOriginalToken,proto3" json:"forward_original_token,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
JSON Web Token (JWT) token format for authentication as defined by [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC 1.0](http://openid.net/connect) for how this is used in the whole authentication flow.
Examples:
Spec for a JWT that is issued by `https://example.com`, with the audience claims must be either `bookstore_android.apps.example.com` or `bookstore_web.apps.example.com`. The token should be presented at the `Authorization` header (default). The Json web key set (JWKS) will be discovered followwing OpenID Connect protocol.
```yaml issuer: https://example.com audiences:
- bookstore_android.apps.example.com bookstore_web.apps.example.com
```
This example specifies token in non-default location (`x-goog-iap-jwt-assertion` header). It also defines the URI to fetch JWKS explicitly.
```yaml issuer: https://example.com jwksUri: https://example.com/.secret/jwks.json jwtHeaders: - "x-goog-iap-jwt-assertion" ```
func (*JWTRule) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTRule. Required by controller-gen.
func (*JWTRule) DeepCopyInto ¶
DeepCopyInto supports using JWTRule within kubernetes types, where deepcopy-gen is used.
func (*JWTRule) Descriptor ¶
func (*JWTRule) GetAudiences ¶
func (*JWTRule) GetForwardOriginalToken ¶
func (*JWTRule) GetFromHeaders ¶
func (*JWTRule) GetFromParams ¶
func (*JWTRule) GetJwksUri ¶
func (*JWTRule) GetOutputPayloadToHeader ¶
func (*JWTRule) MarshalJSON ¶
MarshalJSON is a custom marshaler for JWTRule
func (*JWTRule) MarshalToSizedBuffer ¶
func (*JWTRule) ProtoMessage ¶
func (*JWTRule) ProtoMessage()
func (*JWTRule) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for JWTRule
func (*JWTRule) XXX_DiscardUnknown ¶
func (m *JWTRule) XXX_DiscardUnknown()
func (*JWTRule) XXX_Marshal ¶
func (*JWTRule) XXX_Unmarshal ¶
type Operation ¶
type Operation struct { // Optional. A list of hosts, which matches to the "request.host" attribute. // // If not set, any host is allowed. Must be used only with HTTP. Hosts []string `protobuf:"bytes,1,rep,name=hosts,proto3" json:"hosts,omitempty"` // Optional. A list of negative match of hosts. NotHosts []string `protobuf:"bytes,5,rep,name=not_hosts,json=notHosts,proto3" json:"not_hosts,omitempty"` // Optional. A list of ports, which matches to the "destination.port" attribute. // // If not set, any port is allowed. Ports []string `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty"` // Optional. A list of negative match of ports. NotPorts []string `protobuf:"bytes,6,rep,name=not_ports,json=notPorts,proto3" json:"not_ports,omitempty"` // Optional. A list of methods, which matches to the "request.method" attribute. // For gRPC service, this will always be "POST". // // If not set, any method is allowed. Must be used only with HTTP. Methods []string `protobuf:"bytes,3,rep,name=methods,proto3" json:"methods,omitempty"` // Optional. A list of negative match of methods. NotMethods []string `protobuf:"bytes,7,rep,name=not_methods,json=notMethods,proto3" json:"not_methods,omitempty"` // Optional. A list of paths, which matches to the "request.url_path" attribute. // For gRPC service, this will be the fully-qualified name in the form of // "/package.service/method". // // If not set, any path is allowed. Must be used only with HTTP. Paths []string `protobuf:"bytes,4,rep,name=paths,proto3" json:"paths,omitempty"` // Optional. A list of negative match of paths. NotPaths []string `protobuf:"bytes,8,rep,name=not_paths,json=notPaths,proto3" json:"not_paths,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
Operation specifies the operations of a request. Fields in the operation are ANDed together.
For example, the following operation matches if the host has suffix ".example.com" and the method is "GET" or "HEAD" and the path doesn't have prefix "/admin".
```yaml hosts: ["*.example.com"] methods: ["GET", "HEAD"] not_paths: ["/admin*"] ```
func (*Operation) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Operation. Required by controller-gen.
func (*Operation) DeepCopyInto ¶
DeepCopyInto supports using Operation within kubernetes types, where deepcopy-gen is used.
func (*Operation) Descriptor ¶
func (*Operation) GetMethods ¶
func (*Operation) GetNotHosts ¶
func (*Operation) GetNotMethods ¶
func (*Operation) GetNotPaths ¶
func (*Operation) GetNotPorts ¶
func (*Operation) MarshalJSON ¶
MarshalJSON is a custom marshaler for Operation
func (*Operation) MarshalToSizedBuffer ¶
func (*Operation) ProtoMessage ¶
func (*Operation) ProtoMessage()
func (*Operation) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for Operation
func (*Operation) XXX_DiscardUnknown ¶
func (m *Operation) XXX_DiscardUnknown()
func (*Operation) XXX_Marshal ¶
func (*Operation) XXX_Unmarshal ¶
type PeerAuthentication ¶
type PeerAuthentication struct { // The selector determines the workloads to apply the ChannelAuthentication on. // If not set, the policy will be applied to all workloads in the same namespace as the policy. Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` // Mutual TLS settings for workload. If not defined, inherit from parent. Mtls *PeerAuthentication_MutualTLS `protobuf:"bytes,2,opt,name=mtls,proto3" json:"mtls,omitempty"` // Port specific mutual TLS settings. PortLevelMtls map[uint32]*PeerAuthentication_MutualTLS `` /* 191-byte string literal not displayed */ XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
Examples:
Policy to allow mTLS traffic for all workloads under namespace `foo`: ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:
name: default namespace: foo
spec:
mtls: mode: STRICT
``` For mesh level, put the policy in root-namespace according to your Istio installation.
Policies to allow both mTLS & plaintext traffic for all workloads under namespace `foo`, but require mTLS for workload `finance`. ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:
name: default namespace: foo
spec:
mtls: mode: PERMISSIVE
--- apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:
name: default namespace: foo
spec:
selector: matchLabels: app: finance mtls: mode: STRICT
``` Policy to allow mTLS strict for all workloads, but leave port 8080 to plaintext: ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:
name: default namespace: foo
spec:
selector: matchLabels: app: finance mtls: mode: STRICT portLevelMtls: 8080: mode: DISABLE
``` Policy to inherite mTLS mode from namespace (or mesh) settings, and overwrite settings for port 8080 ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:
name: default namespace: foo
spec:
selector: matchLabels: app: finance mtls: mode: UNSET portLevelMtls: 8080: mode: DISABLE
```
<!-- crd generation tags +cue-gen:PeerAuthentication:groupName:security.istio.io +cue-gen:PeerAuthentication:version:v1beta1 +cue-gen:PeerAuthentication:storageVersion +cue-gen:PeerAuthentication:annotations:helm.sh/resource-policy=keep +cue-gen:PeerAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio +cue-gen:PeerAuthentication:subresource:status +cue-gen:PeerAuthentication:scope:Namespaced +cue-gen:PeerAuthentication:resource:categories=istio-io,security-istio-io,shortNames=pa -->
<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=security.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true -->
func (*PeerAuthentication) DeepCopy ¶
func (in *PeerAuthentication) DeepCopy() *PeerAuthentication
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication. Required by controller-gen.
func (*PeerAuthentication) DeepCopyInto ¶
func (in *PeerAuthentication) DeepCopyInto(out *PeerAuthentication)
DeepCopyInto supports using PeerAuthentication within kubernetes types, where deepcopy-gen is used.
func (*PeerAuthentication) Descriptor ¶
func (*PeerAuthentication) Descriptor() ([]byte, []int)
func (*PeerAuthentication) GetMtls ¶
func (m *PeerAuthentication) GetMtls() *PeerAuthentication_MutualTLS
func (*PeerAuthentication) GetPortLevelMtls ¶
func (m *PeerAuthentication) GetPortLevelMtls() map[uint32]*PeerAuthentication_MutualTLS
func (*PeerAuthentication) GetSelector ¶
func (m *PeerAuthentication) GetSelector() *v1beta1.WorkloadSelector
func (*PeerAuthentication) Marshal ¶
func (m *PeerAuthentication) Marshal() (dAtA []byte, err error)
func (*PeerAuthentication) MarshalJSON ¶
func (this *PeerAuthentication) MarshalJSON() ([]byte, error)
MarshalJSON is a custom marshaler for PeerAuthentication
func (*PeerAuthentication) MarshalTo ¶
func (m *PeerAuthentication) MarshalTo(dAtA []byte) (int, error)
func (*PeerAuthentication) MarshalToSizedBuffer ¶
func (m *PeerAuthentication) MarshalToSizedBuffer(dAtA []byte) (int, error)
func (*PeerAuthentication) ProtoMessage ¶
func (*PeerAuthentication) ProtoMessage()
func (*PeerAuthentication) Reset ¶
func (m *PeerAuthentication) Reset()
func (*PeerAuthentication) Size ¶
func (m *PeerAuthentication) Size() (n int)
func (*PeerAuthentication) String ¶
func (m *PeerAuthentication) String() string
func (*PeerAuthentication) Unmarshal ¶
func (m *PeerAuthentication) Unmarshal(dAtA []byte) error
func (*PeerAuthentication) UnmarshalJSON ¶
func (this *PeerAuthentication) UnmarshalJSON(b []byte) error
UnmarshalJSON is a custom unmarshaler for PeerAuthentication
func (*PeerAuthentication) XXX_DiscardUnknown ¶
func (m *PeerAuthentication) XXX_DiscardUnknown()
func (*PeerAuthentication) XXX_Marshal ¶
func (m *PeerAuthentication) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*PeerAuthentication) XXX_Merge ¶
func (m *PeerAuthentication) XXX_Merge(src proto.Message)
func (*PeerAuthentication) XXX_Size ¶
func (m *PeerAuthentication) XXX_Size() int
func (*PeerAuthentication) XXX_Unmarshal ¶
func (m *PeerAuthentication) XXX_Unmarshal(b []byte) error
type PeerAuthentication_MutualTLS ¶
type PeerAuthentication_MutualTLS struct { // Defines the mTLS mode used for peer authentication. Mode PeerAuthentication_MutualTLS_Mode `protobuf:"varint,1,opt,name=mode,proto3,enum=istio.security.v1beta1.PeerAuthentication_MutualTLS_Mode" json:"mode,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
Mutual TLS settings.
func (*PeerAuthentication_MutualTLS) DeepCopy ¶
func (in *PeerAuthentication_MutualTLS) DeepCopy() *PeerAuthentication_MutualTLS
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication_MutualTLS. Required by controller-gen.
func (*PeerAuthentication_MutualTLS) DeepCopyInto ¶
func (in *PeerAuthentication_MutualTLS) DeepCopyInto(out *PeerAuthentication_MutualTLS)
DeepCopyInto supports using PeerAuthentication_MutualTLS within kubernetes types, where deepcopy-gen is used.
func (*PeerAuthentication_MutualTLS) Descriptor ¶
func (*PeerAuthentication_MutualTLS) Descriptor() ([]byte, []int)
func (*PeerAuthentication_MutualTLS) GetMode ¶
func (m *PeerAuthentication_MutualTLS) GetMode() PeerAuthentication_MutualTLS_Mode
func (*PeerAuthentication_MutualTLS) Marshal ¶
func (m *PeerAuthentication_MutualTLS) Marshal() (dAtA []byte, err error)
func (*PeerAuthentication_MutualTLS) MarshalJSON ¶
func (this *PeerAuthentication_MutualTLS) MarshalJSON() ([]byte, error)
MarshalJSON is a custom marshaler for PeerAuthentication_MutualTLS
func (*PeerAuthentication_MutualTLS) MarshalTo ¶
func (m *PeerAuthentication_MutualTLS) MarshalTo(dAtA []byte) (int, error)
func (*PeerAuthentication_MutualTLS) MarshalToSizedBuffer ¶
func (m *PeerAuthentication_MutualTLS) MarshalToSizedBuffer(dAtA []byte) (int, error)
func (*PeerAuthentication_MutualTLS) ProtoMessage ¶
func (*PeerAuthentication_MutualTLS) ProtoMessage()
func (*PeerAuthentication_MutualTLS) Reset ¶
func (m *PeerAuthentication_MutualTLS) Reset()
func (*PeerAuthentication_MutualTLS) Size ¶
func (m *PeerAuthentication_MutualTLS) Size() (n int)
func (*PeerAuthentication_MutualTLS) String ¶
func (m *PeerAuthentication_MutualTLS) String() string
func (*PeerAuthentication_MutualTLS) Unmarshal ¶
func (m *PeerAuthentication_MutualTLS) Unmarshal(dAtA []byte) error
func (*PeerAuthentication_MutualTLS) UnmarshalJSON ¶
func (this *PeerAuthentication_MutualTLS) UnmarshalJSON(b []byte) error
UnmarshalJSON is a custom unmarshaler for PeerAuthentication_MutualTLS
func (*PeerAuthentication_MutualTLS) XXX_DiscardUnknown ¶
func (m *PeerAuthentication_MutualTLS) XXX_DiscardUnknown()
func (*PeerAuthentication_MutualTLS) XXX_Marshal ¶
func (m *PeerAuthentication_MutualTLS) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*PeerAuthentication_MutualTLS) XXX_Merge ¶
func (m *PeerAuthentication_MutualTLS) XXX_Merge(src proto.Message)
func (*PeerAuthentication_MutualTLS) XXX_Size ¶
func (m *PeerAuthentication_MutualTLS) XXX_Size() int
func (*PeerAuthentication_MutualTLS) XXX_Unmarshal ¶
func (m *PeerAuthentication_MutualTLS) XXX_Unmarshal(b []byte) error
type PeerAuthentication_MutualTLS_Mode ¶
type PeerAuthentication_MutualTLS_Mode int32
const ( // Inherit from parent, if has one. Otherwise treated as PERMISSIVE. PeerAuthentication_MutualTLS_UNSET PeerAuthentication_MutualTLS_Mode = 0 // Connection is not tunneled. PeerAuthentication_MutualTLS_DISABLE PeerAuthentication_MutualTLS_Mode = 1 // Connection can be either plaintext or mTLS tunnel. PeerAuthentication_MutualTLS_PERMISSIVE PeerAuthentication_MutualTLS_Mode = 2 // Connection is an mTLS tunnel (TLS with client cert must be presented). PeerAuthentication_MutualTLS_STRICT PeerAuthentication_MutualTLS_Mode = 3 )
func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor ¶
func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int)
func (PeerAuthentication_MutualTLS_Mode) String ¶
func (x PeerAuthentication_MutualTLS_Mode) String() string
type RequestAuthentication ¶
type RequestAuthentication struct { // The selector determines the workloads to apply the RequestAuthentication on. // If not set, the policy will be applied to all workloads in the same namespace as the policy. Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` // Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token // will be used to extract the authenticated identity. // Each rule will be activated only when a token is presented at the location recorgnized by the // rule. The token will be validated based on the JWT rule config. If validation fails, the request will // be rejected. // Note: if more than one token is presented (at different locations), the output principal is nondeterministic. JwtRules []*JWTRule `protobuf:"bytes,2,rep,name=jwt_rules,json=jwtRules,proto3" json:"jwt_rules,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
RequestAuthentication defines what request authentication methods are supported by a workload. If will reject a request if the request contains invalid authentication information, based on the configured authentication rules. A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule. Examples:
- Require JWT for all request for workloads that have label `app:httpbin`
```yaml apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin jwtRules: - issuer: "issuer-foo" jwksUri: https://example.com/.well-known/jwks.json
--- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin rules: - from: - source: requestPrincipals: ["*"]
```
- The next example shows how to set a different JWT requirement for a different `host`. The `RequestAuthentication` declares it can accept JWTs issued by either `issuer-foo` or `issuer-bar` (the public key set is implicitly set from the OpenID Connect spec).
```yaml apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin jwtRules: - issuer: "issuer-foo" - issuer: "issuer-bar"
--- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin rules: - from: - source: requestPrincipals: ["issuer-foo/*"] to: hosts: ["example.com"] - from: - source: requestPrincipals: ["issuer-bar/*"] to: hosts: ["another-host.com"]
```
- You can fine tune the authorization policy to set different requirement per path. For example, to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the authorization policy could be:
```yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin rules: - from: - source: requestPrincipals: ["*"] - to: - operation: paths: ["/healthz]
```
<!-- crd generation tags +cue-gen:RequestAuthentication:groupName:security.istio.io +cue-gen:RequestAuthentication:version:v1beta1 +cue-gen:RequestAuthentication:storageVersion +cue-gen:RequestAuthentication:annotations:helm.sh/resource-policy=keep +cue-gen:RequestAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio +cue-gen:RequestAuthentication:subresource:status +cue-gen:RequestAuthentication:scope:Namespaced +cue-gen:RequestAuthentication:resource:categories=istio-io,security-istio-io,shortNames=ra -->
<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=security.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true -->
func (*RequestAuthentication) DeepCopy ¶
func (in *RequestAuthentication) DeepCopy() *RequestAuthentication
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestAuthentication. Required by controller-gen.
func (*RequestAuthentication) DeepCopyInto ¶
func (in *RequestAuthentication) DeepCopyInto(out *RequestAuthentication)
DeepCopyInto supports using RequestAuthentication within kubernetes types, where deepcopy-gen is used.
func (*RequestAuthentication) Descriptor ¶
func (*RequestAuthentication) Descriptor() ([]byte, []int)
func (*RequestAuthentication) GetJwtRules ¶
func (m *RequestAuthentication) GetJwtRules() []*JWTRule
func (*RequestAuthentication) GetSelector ¶
func (m *RequestAuthentication) GetSelector() *v1beta1.WorkloadSelector
func (*RequestAuthentication) Marshal ¶
func (m *RequestAuthentication) Marshal() (dAtA []byte, err error)
func (*RequestAuthentication) MarshalJSON ¶
func (this *RequestAuthentication) MarshalJSON() ([]byte, error)
MarshalJSON is a custom marshaler for RequestAuthentication
func (*RequestAuthentication) MarshalTo ¶
func (m *RequestAuthentication) MarshalTo(dAtA []byte) (int, error)
func (*RequestAuthentication) MarshalToSizedBuffer ¶
func (m *RequestAuthentication) MarshalToSizedBuffer(dAtA []byte) (int, error)
func (*RequestAuthentication) ProtoMessage ¶
func (*RequestAuthentication) ProtoMessage()
func (*RequestAuthentication) Reset ¶
func (m *RequestAuthentication) Reset()
func (*RequestAuthentication) Size ¶
func (m *RequestAuthentication) Size() (n int)
func (*RequestAuthentication) String ¶
func (m *RequestAuthentication) String() string
func (*RequestAuthentication) Unmarshal ¶
func (m *RequestAuthentication) Unmarshal(dAtA []byte) error
func (*RequestAuthentication) UnmarshalJSON ¶
func (this *RequestAuthentication) UnmarshalJSON(b []byte) error
UnmarshalJSON is a custom unmarshaler for RequestAuthentication
func (*RequestAuthentication) XXX_DiscardUnknown ¶
func (m *RequestAuthentication) XXX_DiscardUnknown()
func (*RequestAuthentication) XXX_Marshal ¶
func (m *RequestAuthentication) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*RequestAuthentication) XXX_Merge ¶
func (m *RequestAuthentication) XXX_Merge(src proto.Message)
func (*RequestAuthentication) XXX_Size ¶
func (m *RequestAuthentication) XXX_Size() int
func (*RequestAuthentication) XXX_Unmarshal ¶
func (m *RequestAuthentication) XXX_Unmarshal(b []byte) error
type Rule ¶
type Rule struct { // Optional. from specifies the source of a request. // // If not set, any source is allowed. From []*Rule_From `protobuf:"bytes,1,rep,name=from,proto3" json:"from,omitempty"` // Optional. to specifies the operation of a request. // // If not set, any operation is allowed. To []*Rule_To `protobuf:"bytes,2,rep,name=to,proto3" json:"to,omitempty"` // Optional. when specifies a list of additional conditions of a request. // // If not set, any condition is allowed. When []*Condition `protobuf:"bytes,3,rep,name=when,proto3" json:"when,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, operation and condition matches the request. An empty rule is always matched.
Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
- Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". - Presence match: "*" will match when value is not empty.
func (*Rule) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule. Required by controller-gen.
func (*Rule) DeepCopyInto ¶
DeepCopyInto supports using Rule within kubernetes types, where deepcopy-gen is used.
func (*Rule) Descriptor ¶
func (*Rule) MarshalJSON ¶
MarshalJSON is a custom marshaler for Rule
func (*Rule) ProtoMessage ¶
func (*Rule) ProtoMessage()
func (*Rule) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for Rule
func (*Rule) XXX_DiscardUnknown ¶
func (m *Rule) XXX_DiscardUnknown()
func (*Rule) XXX_Unmarshal ¶
type Rule_From ¶
type Rule_From struct { // Source specifies the source of a request. Source *Source `protobuf:"bytes,1,opt,name=source,proto3" json:"source,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
From includes a list or sources.
func (*Rule_From) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule_From. Required by controller-gen.
func (*Rule_From) DeepCopyInto ¶
DeepCopyInto supports using Rule_From within kubernetes types, where deepcopy-gen is used.
func (*Rule_From) Descriptor ¶
func (*Rule_From) MarshalJSON ¶
MarshalJSON is a custom marshaler for Rule_From
func (*Rule_From) MarshalToSizedBuffer ¶
func (*Rule_From) ProtoMessage ¶
func (*Rule_From) ProtoMessage()
func (*Rule_From) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for Rule_From
func (*Rule_From) XXX_DiscardUnknown ¶
func (m *Rule_From) XXX_DiscardUnknown()
func (*Rule_From) XXX_Marshal ¶
func (*Rule_From) XXX_Unmarshal ¶
type Rule_To ¶
type Rule_To struct { // Operation specifies the operation of a request. Operation *Operation `protobuf:"bytes,1,opt,name=operation,proto3" json:"operation,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
To includes a list or operations.
func (*Rule_To) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule_To. Required by controller-gen.
func (*Rule_To) DeepCopyInto ¶
DeepCopyInto supports using Rule_To within kubernetes types, where deepcopy-gen is used.
func (*Rule_To) Descriptor ¶
func (*Rule_To) GetOperation ¶
func (*Rule_To) MarshalJSON ¶
MarshalJSON is a custom marshaler for Rule_To
func (*Rule_To) MarshalToSizedBuffer ¶
func (*Rule_To) ProtoMessage ¶
func (*Rule_To) ProtoMessage()
func (*Rule_To) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for Rule_To
func (*Rule_To) XXX_DiscardUnknown ¶
func (m *Rule_To) XXX_DiscardUnknown()
func (*Rule_To) XXX_Marshal ¶
func (*Rule_To) XXX_Unmarshal ¶
type Source ¶
type Source struct { // Optional. A list of source peer identities (i.e. service account), which // matches to the "source.principal" attribute. This field requires mTLS enabled. // // If not set, any principal is allowed. Principals []string `protobuf:"bytes,1,rep,name=principals,proto3" json:"principals,omitempty"` // Optional. A list of negative match of source peer identities. NotPrincipals []string `protobuf:"bytes,5,rep,name=not_principals,json=notPrincipals,proto3" json:"not_principals,omitempty"` // Optional. A list of request identities (i.e. "iss/sub" claims), which // matches to the "request.auth.principal" attribute. // // If not set, any request principal is allowed. RequestPrincipals []string `protobuf:"bytes,2,rep,name=request_principals,json=requestPrincipals,proto3" json:"request_principals,omitempty"` // Optional. A list of negative match of request identities. NotRequestPrincipals []string `protobuf:"bytes,6,rep,name=not_request_principals,json=notRequestPrincipals,proto3" json:"not_request_principals,omitempty"` // Optional. A list of namespaces, which matches to the "source.namespace" // attribute. This field requires mTLS enabled. // // If not set, any namespace is allowed. Namespaces []string `protobuf:"bytes,3,rep,name=namespaces,proto3" json:"namespaces,omitempty"` // Optional. A list of negative match of namespaces. NotNamespaces []string `protobuf:"bytes,7,rep,name=not_namespaces,json=notNamespaces,proto3" json:"not_namespaces,omitempty"` // Optional. A list of IP blocks, which matches to the "source.ip" attribute. // Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported. // // If not set, any IP is allowed. IpBlocks []string `protobuf:"bytes,4,rep,name=ip_blocks,json=ipBlocks,proto3" json:"ip_blocks,omitempty"` // Optional. A list of negative match of IP blocks. NotIpBlocks []string `protobuf:"bytes,8,rep,name=not_ip_blocks,json=notIpBlocks,proto3" json:"not_ip_blocks,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
Source specifies the source identities of a request. Fields in the source are ANDed together.
For example, the following source matches if the principal is "admin" or "dev" and the namespace is "prod" or "test" and the ip is not "1.2.3.4".
```yaml principals: ["admin", "dev"] namespaces: ["prod", "test"] not_ipblocks: ["1.2.3.4"] ```
func (*Source) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Source. Required by controller-gen.
func (*Source) DeepCopyInto ¶
DeepCopyInto supports using Source within kubernetes types, where deepcopy-gen is used.
func (*Source) Descriptor ¶
func (*Source) GetIpBlocks ¶
func (*Source) GetNamespaces ¶
func (*Source) GetNotIpBlocks ¶
func (*Source) GetNotNamespaces ¶
func (*Source) GetNotPrincipals ¶
func (*Source) GetNotRequestPrincipals ¶
func (*Source) GetPrincipals ¶
func (*Source) GetRequestPrincipals ¶
func (*Source) MarshalJSON ¶
MarshalJSON is a custom marshaler for Source
func (*Source) MarshalToSizedBuffer ¶
func (*Source) ProtoMessage ¶
func (*Source) ProtoMessage()
func (*Source) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for Source
func (*Source) XXX_DiscardUnknown ¶
func (m *Source) XXX_DiscardUnknown()
func (*Source) XXX_Marshal ¶
func (*Source) XXX_Unmarshal ¶
Source Files ¶
- authorization.pb.go
- authorization_deepcopy.gen.go
- authorization_json.gen.go
- jwt.pb.go
- jwt_deepcopy.gen.go
- jwt_json.gen.go
- peer_authentication.pb.go
- peer_authentication_deepcopy.gen.go
- peer_authentication_json.gen.go
- request_authentication.pb.go
- request_authentication_deepcopy.gen.go
- request_authentication_json.gen.go